Get certificate info for a SNI target with CURLOPT_SSL_VERIFYHOST=0?

[Daniel-Nashed]

To get the root CA root for for a remote server, I am using CURLINFO_CERTINFO
Works great for a normal connection. But I would need it also for a SNI target.

CURLOPT_SSL_VERIFYHOST = "0" disables SNI as documented.

SNI works well with CURLOPT_SSL_VERIFYHOST="1", if the server's root is already trusted (like via cacerts).

But the whole purpose of my operation is to retrieve a self signed or an unknown root.

Any idea how I could work-around it?
I know how to implement it native with low-level OpenSSL. But I really want to use LibCurl!

Thanks for any tip!

Daniel

[Daniel-Nashed]

Found a way to get the root also with SNI enabled.

1. Request to the URL with this combination to get the root cert with those flags

CURLOPT_SSL_VERIFYPEER = 0L
CURLOPT_SSL_VERIFYHOST = 1L

Checking the last cert I get if Subject = Issuer looping thru the results I get from CURLINFO_CERTINFO

2. Another request with and passing the retrieved root to verify with the flags to verify:

CURLOPT_SSL_VERIFYPEER = 1L
CURLOPT_SSL_VERIFYHOST = 1L

Set the root via the following option to the root as PEM received from the first call:

CURLOPT_CAINFO_BLOB